about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2022-10-28 00:48:30 +0200
committerGitHub <noreply@github.com>2022-10-28 00:48:30 +0200
commit07cc201accd4a04c8c11cda21eecded4e7875d55 (patch)
treeb93b9e426549f88ef79cdf90bca15b0bc9596bb9
parent8ae0936ddd92eadb519c0440aae3961fcd820106 (diff)
Fix using wrong policy on status-related actions in admin UI (#19490)
-rw-r--r--app/models/admin/status_batch_action.rb4
-rw-r--r--app/models/trends/status_batch.rb4
2 files changed, 4 insertions, 4 deletions
diff --git a/app/models/admin/status_batch_action.rb b/app/models/admin/status_batch_action.rb
index 7bf6fa6da..0ec4fef82 100644
--- a/app/models/admin/status_batch_action.rb
+++ b/app/models/admin/status_batch_action.rb
@@ -40,7 +40,7 @@ class Admin::StatusBatchAction
   end
 
   def handle_delete!
-    statuses.each { |status| authorize(status, :destroy?) }
+    statuses.each { |status| authorize([:admin, status], :destroy?) }
 
     ApplicationRecord.transaction do
       statuses.each do |status|
@@ -75,7 +75,7 @@ class Admin::StatusBatchAction
     statuses.includes(:media_attachments, :preview_cards).find_each do |status|
       next unless status.with_media? || status.with_preview_card?
 
-      authorize(status, :update?)
+      authorize([:admin, status], :update?)
 
       if target_account.local?
         UpdateStatusService.new.call(status, representative_account.id, sensitive: true)
diff --git a/app/models/trends/status_batch.rb b/app/models/trends/status_batch.rb
index 78d93bed4..f9b97b224 100644
--- a/app/models/trends/status_batch.rb
+++ b/app/models/trends/status_batch.rb
@@ -30,7 +30,7 @@ class Trends::StatusBatch
   end
 
   def approve!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
     statuses.update_all(trendable: true)
   end
 
@@ -45,7 +45,7 @@ class Trends::StatusBatch
   end
 
   def reject!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
     statuses.update_all(trendable: false)
   end